A collaborative effort by the Virginia universities and centers.
Virginia ACCORD (Assuring Compliance for Computing and Research Data) is a new cyberinstrument project being developed through a partnership between the University of Virginia and eleven Virginia universities and research centers. The goal of ACCORD is to address a pressing need in the research community by providing a secured, capable, and accessible cyberinstrument that allows diverse data with different protection requirements to be hosted on shared computing resource.
PI: Dr. Ron Hutchins, Vice President for Information Technology, University of Virginia [BIO]
Co-PI: Dr. Scott Midkiff, Vice President for Information Technology & Chief Information Officer, Virginia Polytechnic Institute [BIO]
Co-PI: Dr. Deborah Crawford, Vice President for Research, George Mason University [BIO]
Co-PI: Dr. Andrew Grimshaw, Professor of Computer Science, University of Virginia [BIO]
Co-PI: Dr. Masha Sosonkina, Professor of Modeling, Simulation, & Visualization Engineering, Old Dominion University [BIO]
Project Director: Dr. Tho Nguyen, Managing Director - CAP, University of Virginia [BIO]
The Community Advisory Board (CAB) is tasked with reviewing and providing feedback when appropriate on instrument technical design decisions, project progress, and governance structure. The CAB also serves as liaison to broaden the community of supporter and collaborators beyond the Virginia partners.
Von Welch, Director, Center for Applied Cybersecurity Research, Indiana University
Inder Monga, Executive Director, Energy Science Network (ESNET)
Ruth Marinshaw, CTO-Research Computing, Stanford University
Tom Lehman, Director of Research, Mid-Atlantic Crossroads (MAX)
Richard Starr, Research Scientist for Protected Health Data, Georgia Tech
Research universities have made significant progress over the past few years in developing cyberinfrastructure to support research computation on both the highly parallel and high throughput architectural axes. As usage by discipline scientists, researchers, and graduate students continues to grow, more generalized data protection is required for the set of architectures provided by these shared computing systems. A brief taxonomy analysis of common existing campus infrastructures (Figure 1) exposes gaps in research computing capabilities that are necessary to adequately meet specific computational demand when paired with appropriate data protection. In order toaddress these issues without further investing in separate purpose-built systems, an agile platform is needed to facilitate suitable resource allocation while guaranteeing the appropriate protection controls required for datasets hosted on the shared resource. For our proposed work, we will design a cyberinfrastructure instrument that can implement userspecified protection controls over datasets while provisioning appropriate computing resources to meet computational needs, lowering the barriers for research on the instrument.
The new Virginia ACCORD instrument will also be made available to partner institutions by leveraging protected science DMZs coupled with DTNs. We will take advantage of the MARIA (Mid-Atlantic Research Infrastructure Alliance) network to engage other Virginia public research institutions to broaden access to this new cyberinfrastructure instrument.
INTELLECTUAL MERIT: This MRI proposal will result in the design, deployment, and operation of a new cyberinfrastructure instrument that provides the necessary computing, storage, and networking capabilities to researchers while helping them comply with protection controls required by sponsors. Concurrently, this instrument also enables project sponsors to verify enforcement and audit data protection policies reliably and conveniently. The instrument enables workflow design aimed at lowering the barrier of access to allow researchers from multiple disciplines to easily specify and implement the appropriate protection controls that meet their needs. The instrument design can be adapted by other research institutions to develop their own instrument supporting secured data analytics on shared computing resources.
BROADER IMPACT: This cyberinstrument will break down the need for siloed computing resources, enabling more efficient development and use of research cyberinfrastructure. Through the MARIA network, we aim to immediately extend the value of the UVa cyberinstrument to other Virginia research universities, including minority serving universities and centers - e.g., VSU. Other regional and national partners can also engage the UVa/MARIA instrument directly through partnerships or leverage our knowledge and best practices to build their own. The distributed instrument used by researchers across multiple disciplines and institutions will result in new opportunities for research collaborations, whether among universities or with government and industry, as well as enable a rich environment for research training activities.
The ACCORD instrument can be described by the overall workflow it enables - as shown on (Figure 2) to the right. When a researcher is awarded a contract for specific work involving sensitive data, specifications for protection of the data - often specified by the research sponsor or partners - are documented in the data management plan in the research contract negotiated by both parties. The protection policies are distilled into a set of controls that can be matched with individual jobs to create a Project Policy Documents (PPD).
When the researcher initiates a job as part of a project, the Project Policy Document (PPD) is created by matching the job with approriate controls relevant to the project. The 'certified/signed PPD' is sent to the SAFE (Secure Architecture and Federated Environment) Client where it is checked to ensure compliance on both ends (incoming job and the SAFE). The job package is then sent to the SAFE where the appropriate compute, network, and storage resources are configured and 'packaged' together. The virtually 'packaged' machine is then used to execute the job and deliver results to the researcher. Instrument capabilities include:
At the heart of ACCORD is the SAFE (Secure Architecture and Federated Environment), which is a single platform consisting of heterogeneous compute resources, storage resources, and a routing engine providing internal networking as well as external connectivity. The SAFE is designed to support the ACCORD workflow that makes using the SAFE is as easy as using existing systems; and the SAFE's innovative routing layer ensures that all applications running on the SAFE can satisfy and document their compliance with required security policies.
High throughput and true parallel HPC architectures are both well understood from an operational perspective; and countless systems at various scale and performance levels have been successfully built and used to provide security and data protection to specifications required by the users. Naturally, in order to enable a cyberinstrument that provides both HTC/HPC capabilities as well as responsively assuring appropriate security compliance per job, the SAFE leverages and integrates techniques and mechanisms that have previously been proven. Developing the SAFE requires us to take a new look at how to build a responsive architecture, where central to the architecture design is an innovative and capable routing engine that translates the new policy-driven markup language to operate a federation and provisioning service.
Furthermore, technical design of the SAFE architecture as well as implementation plan is being developed in close coordination with campus security and compliance personnel in order to guarantee meeting requirements at every stage of instrument development - i.e., correctness by construction.
In contrast to fixed pools of hardware/software dedicated to a particular class of applications, the SAFE provisioning service dynamically reconfigures the hardware and software resources to meet the demands of jobs that are presented to it. The result is that each job is provided with a set of resources from the resource pool. The set of resources associated with a job can be thought of as an island of resources.
The network and operating system security configurations are configured to manage both intra-island communication & security and inter-island communication. Intra-island configurations control VLAN settings (or their equivalent in IB networks) as well as firewall settings, operating system identity spaces, file system mounts, etc. The inter-island settings include whether the IP addresses are publically routable, whether incoming packets are allowed in, whether outgoing connections are allowed, and so on.
The goal is to create a set of islands with configurable policies with respect to external communication. Some of the islands will persist for long periods of time, some for short periods of time. Inter-island security (authentication, access control, data integrity) is realized using the XSEDE federated identity management, federated Execution Management Services, and Global Federated File System as well as other tools as appropriate.
Detailed description of the SAFE's technical design is available for inspection and feedback from the community. For access to the technical design material, please contact the Project Manager, Dr. Tho Nguyen, at: firstname.lastname@example.org.
Toward demonstrating the research and research training community's need for the Virginia ACCORD cyberinstrument, the PI team has been reaching out to the Virginia partner institutions to identify projects that could benefit from capabilities enabled by this platform.
We received enthusiastic responses of diverse project examples covering a wide spectrum of disciplines, domains, and sectors. It is clear that the capabilities of the proposed cyberinstrument will benefit the arts and humanities, natural and life sciences, medical sciences, engineering and technology sciences, and many others. Researchers in Astronomy and Criminal Justice alike find uses for flexible, secured, and accessible data protection capabilities. Such capabilities will also enable new project sponsorships, public-private partnerships, and peer-to-peer collaborations.
While we cannot exhaustively present all possible use cases, the summary linked above are illustrative of science use cases were collected from the Virginia participating institutions. These use cases span multiple axes of potential applications using the proposed cyberinstrument, ranging from the security requirement axis, the performance demand axis, and diverse domain areas.
We continue to welcome contribution of new science use cases from the broad research community. If you are interested in using the Virginia ACCORD cyberinstrument please contact Dr. Katherine Holcomb or a member of the PI team.
Virginia Smart City Actuator: ACCORD supporting business startups "...The Smart City Actuator program is an innovative initiative by the State of Virignia to catalyze new solutions in smart cities that will drive the State's economy and benefit the public. Many smart cities startups are analyzing data to inform important development decisions in public safety, education, health, and the environment. Handling of "smart city" data, which often comprises both publicly available and protected data, imposes a demand on cyberinfrastructure and personnel expertise that is difficult to meet by startup companies. The ACCORD platform is a potential game-changing partner that supports the sensitive data protection tasks for startups, freeing up resources and allowing them to focus on innovating their product..." David Ihrie, CTO, Virginia Center for Innovative Technology
Center for Visual and Data Analytics: ACCORD underpinning industry-university research collaborations "Members of the financial industry compete for business; however, they are also very interested in collaborating on topics of mutual interest such as combatting financial fraud. Sharing data and collaborating with researchers allow companies to better understand and detect fraud; but data sharing must be balanced with not giving away client information, business strategies, or other sensitive "secret sauce" information. The Center for Visual and Decision Informatics at UVA is a National Science Foundation Industry/University Cooperative Research Center. CVDI works with partners such as Capital One to research and develop novel, privacy-preserving fraud detection and deterrence techniques. The ACCORD instrument is much needed platform that enable these partners to share data with CVDI researchers in a secured and controlled manner. This new collaboration mechanism will advance the industry's overall robustness and enhance business development in the Commonwealth." Peter Beling, Director of UVA CVDI Site, University of Virginia
GMU: ACCORD assuring compliance and secure research "The ACCORD initiative has the exciting potential to foster cross-institutional research collaboration projects that require not only significant computing resources, but also secure data protection capability. By providing secure, high performance computing, this initiative lowers the entry barriers to researchers who might not otherwise be able easily to meet the increasingly stringent standards that are being required by both government and private-sector sponsors." Rebecca Hartley, Director of Export Compliance & Secure Research, George Mason University
Healthy Appalachia Institute: ACCORD suppporting healthcare research in remote and underserved areas "The University of Virginia's College at Wise is dedicated to serving members of the Appalachian communities in SW Virginia. Programs such as the Healthy Appalachia Institute are beneficial to the College in its research efforts and education mission as well as in providing a valuable healthcare service to residents. In addition to storing and accessing patient data by care providers, researchers also analyze data to identify health concerns and problematic issues, enabling them to provide better services throughout the community. As part of that service, the College strives to provide the utmost protection for all patient health data. Through the ACCORD system, service providers and researchers are conveniently able to store, access, share, and analyze health data while data are protected end-to-end." Scott Bevins, Asc. Vice Chancellor for Information Services, UVA College at Wise
JMU: ACCORD support collaborations at a low cost "James Madison University is striving to provide high-impact learning experiences such as undergraduate research and service learning in a climate that fosters intellectual engagement in and outside the classroom. Collaborating on the ACCORD project provides JMU faculty, students, and staff access to advanced computing resources and data management capabilities. The ACCORD cyberinstrument will be an important platform enabling the JMU community to collaborate among ourselves as well as with other partners in the Commonwealth." Dale Hulvey, Asc. Vice President for Information Technology, James Madison University
We welcome community engagement in multiple capacities. In addition to the technical design feedback, we especially welcome contribution from the policy/compliance community. We also welcome feedback from the application researchers to develop an effective workflow.
ACCORD Spring 2017 All- Hands-Meeting (AHM) - Hosted at The University of Virginia on March 27, 2017.
The Spring 2017 AHM convened ACCORD partners to bring everyone up to date on project status and plan several key activities going forward. The Architecture WG reports plans to test provisioning solutions. The architecture team will also take on establishing desired workflow based specific use cases. The ACCORD team discussed with representative from the Science Gateway Community Institute several options for collaboration. Specifically, SGCI experience and expertise will be helpful to the architecture team as they work on identity management and workflow design.
Going forward, the ACCORD consortium members agree on kick-starting several major projects:
Strategy & planning meeting - Hosted at The University of Virginia on September 12, 2016. The planning meeting convened representatives of the technical and policy teams from partner institutions. The goal was to discuss overall design of the Virginia ACCORD cyberinstrument. Attendees agreed that the proposed instrument capabilities is currently lacking in the community. The technical attendees agreed on the feasibility of realizing the instrument's design concept. The PI facilitated discussions on how to best involve each of the Virginia partners. The meeting concluded with a clear timeline and milestones toward completing the project proposal.
Project kick-off meeting - Hosted at The University of Virginia on August 25, 2016.
The kick-off meeting brought together the initial interested partners to the University of Virginia where the PI, Ron Hutchins, presented the vision of the project. Participating Virginia universities and organizations expressed strong support for the project. The team reached consensus on going forward establishing project governance and strategies.